CVE-2026-28387

Issue summary: An uncommon configuration of clients performing DANE TLSA-based<br /> server authentication, when paired with uncommon server DANE TLSA records, may<br /> result in a use-after-free and/or double-free on the client side.<br /> <br /> Impact summary: A use after free can have a range of potential consequences<br /> such as the corruption of valid data, crashes or execution of arbitrary code.<br /> <br /> However, the issue only affects clients that make use of TLSA records with both<br /> the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate<br /> usage.<br /> <br /> By far the most common deployment of DANE is in SMTP MTAs for which RFC7672<br /> recommends that clients treat as &amp;#39;unusable&amp;#39; any TLSA records that have the PKIX<br /> certificate usages. These SMTP (or other similar) clients are not vulnerable<br /> to this issue. Conversely, any clients that support only the PKIX usages, and<br /> ignore the DANE-TA(2) usage are also not vulnerable.<br /> <br /> The client would also need to be communicating with a server that publishes a<br /> TLSA RRset with both types of TLSA records.<br /> <br /> No FIPS modules are affected by this issue, the problem code is outside the<br /> FIPS module boundary.